Closed c4-bot-8 closed 4 months ago
saxenism (sponsor) disputed
We are aware of the risks and therefore we have a permissioned system for accepting tokens into the bridge and any non-standard implementation of ERC20 tokens won't be allowed. We consider this a non-issue.
saxenism (sponsor) acknowledged
The Warden describes how a blacklist will affect bridging functionality when the intended recipient is blacklisted. Such behavior is considered acceptable and coupled with the permissioned token list of the bridge is considered OOS.
alex-ppg marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-03-zksync/blob/4f0ba34f34a864c354c7e8c47643ed8f4a250e13/code/contracts/zksync/contracts/bridge/L2SharedBridge.sol#L123 https://github.com/code-423n4/2024-03-zksync/blob/4f0ba34f34a864c354c7e8c47643ed8f4a250e13/code/contracts/ethereum/contracts/bridge/L1SharedBridge.sol#L452
Vulnerability details
Impact
The inability to update the
_l1Receiver
address upon blacklisting could lead to permanent locking of funds within theL1SharedBridge
.Proof of Concept
In
L2SharedBridge.sol::withdraw()
, users can initiate a withdrawal by burning funds on the contract and sending a message to L1, where tokens would be unlocked. Note that funds will be sent to the_l1Receiver
, and there is no way to change this address after callingwithdraw()
since the funds are burned on L2 and the message has been sent to L1. Link to codeThen, the user can unlock the funds by calling
finalizeWithdrawal
onL1SharedBridge
, which sends the tokens to the_l1Receiver
specified on L2: Link to codeGiven that some widely used tokens like USDC, Tether, etc., have blacklisting mechanisms, in the case when
_l1Receiver
gets or is blacklisted in an L1 token like USDC, Tether, etc., funds will be permanently locked withinL1SharedBridge
.Tools Used
Foundry VSCode
Recommended Mitigation Steps
Empower users with the ability to update the
_l1Receiver
address in case of blacklisting or other exceptional circumstances.One of the possible solutions is to implement an ERC20 token, let's call it
ZToken
, which is pegged to the L1 token. In this proposed approach, during the withdrawal process, the_l1Receiver
would receiveZToken
instead of the L1 token directly. Subsequently, the_l1Receiver
can redeem theZToken
for the corresponding L1 token. This mechanism provides flexibility in scenarios where the redemption fails due to the address being blacklisted. If the redemption transaction fails because the_l1Receiver
is blacklisted on the L1 token, they can transfer theZToken
to another address that is not blacklisted in L1 token.Assessed type
ERC20